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Abstract — This paper is concerned with several security notions 
for information theoretically secure encryptions defined by the 
variational (statistical) distance. To ensure the perfect secrecy 
(PS), the mutual information is often used to evaluate the 
statistical independence between a message and a cryptogram. 
On the other hand, in order to recognize the information 
theoretically secure encryptions and computationally secure ones 
comprehensively, it is necessary to reconsider the notion of 
PS in terms of the variational distance. However, based on 
the variational distance, three kinds of definitions for PS are 
naturally introduced, but their relations are not known. In this 
paper, we clarify that one of three definitions for PS with the 
variational distance, which is a straightforward extension of 
Shannon's perfect secrecy, is stronger than the others, and the 
weaker two definitions of PS are essentially equivalent to the 
statistical versions of indistinguishability and semantic security. 

I. Introduction 

Perfect secrecy (PS) is a strong security notion which is 
secure against an adversary with unbounded computing power. 
Perfect secrecy was defined by Shannon [1], and he proved that 
perfect secrecy is achieved by one time pad (Vernam) cipher 
[2]. Furthermore, in order to achieve perfect secrecy. Shannon 
also proved in [1] that the entropy of a key must be greater 
than the entropy of a message, which makes perfect secrecy 
quite impractical. 

Roughly speaking, PS is defined by the statistical indepen- 
dence between a message M and a cryptogram C. Specifically, 
we often require almost statistical independence between C 
and M to ensure PS. We note here that two metrics can be 
used to measure the almost statistical independence, i.e., the 
mutual information and the variational (statistical) distance. In 
general, the mutual information is often used in information 
theoretic cryptography since it guarantees stronger security 
compared to the security notions based on the variational 
distance due to Pinsker's inequality. On the other hand, the 
variational distance is often used in computationally secure 
cryptography: For instance, indistinguishability (IND) and 
semantic security (SS) are defined in terms of the variational 
distance. We note that several researchers recently discussed 
one time pad cipher under the security notions developed in 
computationally secure cryptography. For instance, Russell- 
Wang [3] introduced entropic security based on semantic 
security, and they succeeded in shortening the key length of 



a symmetric key cryptosystem which is secure against an 
unbounded adversary. In addition, Dodis-Smith [4] introduced 
another security notion which is closely related to indistin- 
guishability, and they gave the other realization of entropic 
security by using extractors [5]. 

Given the above backgrounds, we are interested in PS 
defined by the variational distance, and its relation to IND and 
SS, which will be some help for comprehensive understanding 
of information theoretically secure encryptions and computa- 
tionally secure ones. However, as we will see in Definition 2, 
three kinds of definitions of PS denoted by PS*A/(e), PSc*(£), 
and PScA/(e) can be naturally introduced in terms of the 
variational distance. It is obvious that these three notions of 
PS are the same when e = 0. However, in the case of e > 0, 
their relations are not known. In this paper, we will point 
out that PSh.j\/(£) is stronger than the others by showing a 
pathological example. Furthermore, it will be proved that the 
remaining two definitions PSc*(e) and PSca/(£) guarantee 
essentially the same security as the statistical versions of IND 
and SS. 

The rest of this paper is organized as follows: In Section II, 
notations and three variations of PS are introduced. Statistical 
IND is introduced in section III, and the relations between PS 
and statistical IND are clarified. A relation between statistical 
IND and statistical SS is proven in Section IV. Finally, a gap 
between one of three variations of PS and the other security 
notions are pointed out in Section V. Technical lemmas are 
provided in Appendix. 

II. Preliminaries 

Let M, K, and C be random variables taking values in 
finite sets M., K., and C, which correspond to sets of messages, 
keys, and cryptograms, respectively. For a random variable X 
taking values in a finite set X and an element x E X, denote 
by Px{x) a probability of X ^ x. Let ViX) be the totality 
of probability distributions over X. 

A symmetric key cryptography S consists of a probability 
distribution Pk G 'P{K.) of a key, and a pair of an encryption 
function Enc : Ai x IC ^ C, and a decryption function 
Dec : C X K. ^ M, i.e., S {Pk, Enc, Dec). Note that K 
is chosen independently of a message M, and Enc and Dec 
are deterministic maps. Suppose that a message is generated 



according to a probability distribution Pm G 'P{M). Then, the 
probability distribution Pc of a cryptogram is determined by 
Pm, Pk and Enc. Let Pcm be a joint probability distribution 
of a cryptogram C and a message M, and denote by Pc\m 
a conditional distribution of a cryptogram when a message is 
given. Denote by Pc|a/ an |C| x |A^| transition probability 
matrix' associated with {/c'|A/(c|?^^)}cec.^rlGA4- i-e., each 
element of P(7|a/ corresponds to Pc\M{c\m) for c G C and 
m E M.. The following theorem states fundamental properties 
of Pc\M for symmetric key encryptions. The proof is provided 
in Appendix A. 

Theorem 1: If a key K is chosen independently of a mes- 
sage M, it holds that^ 

Vc G C,Vto e X, PciM{c\m) = Pr{Enc(m, A') = c} . (1) 

Furthermore, in the case of \C\ = \A4\, there exists a 
symmetric key cryptosystem S satisfying (1) iff (if and only if) 
the probability transition matrix Pc\m is doubly stochastic^. 
□ 

Hence, we assume that the conditional probability distribu- 
tion P(j^j^j{c\m), c C, m ^ Ai is naturally defined by (1) if 
a symmetric key cryptosystem E is given. 

Shannon defined the notion of perfect secrecy as follows: 
Definition 1 (Perfect secrecy, [1]): A symmetric key cryp- 
tosystem S = {Pk, Enc, Dec) guarantees perfect secrecy if 

Vc G C, Vm G M, PmicMc) = PM{m) (2) 

is satisfied for arbitrary message distribution Pm- O 
Definition 1 means that no information of a message can 
be obtained from a cryptogram since a priori probability 
distribution Pm of a message coincides with a posteriori 
probability distribution of M computed by an adversary using 
a cryptogram. 

It is easy to see that (2) is equivalent to 

Vc G C, V?n G M, Pc\Mic\m) = Pc{c) (3) 
Vc G C, ym G M, PcAiic, m) = Pc{c)PM{m) (4) 

since (2) means that random variables M and C are statisti- 
cally independent. 

We are now consider relaxed definitions of perfect secrecy. 
That is, we define almost independence between a message M 
and a cryptogram C given by (2)-(4) in terms of the variational 
(statistical) distance^ denoted by •). 

Definition 2: For a real number e G [0, 1], we say that a 
symmetric key cryptosystem E is PS,a/(£)-, PSc*(e)-, or 
PScM(£)-secure if S satisfies the following conditions; 

PS,M(e): yPm e P{M), 

VcgC, diPM\c{-\c),PM{-))<£ 

' I • I denotes the cardinality of a set. 

^Pr{-} is a probability with respect to a (joint) probability distribution of 
random variable(s) between the parentheses. 

'a probability transition matrix fciM doubly stochastic iff 
Ecec -Pc|M(c|m) = EmeAl Pc\M{c\m) = 1 holds. 

*For two probability distributions Px, Py over a finite set A, the varia- 
tional distance d{-, ■) is defined by d{Px,PY) =^ (1/2) J2aeA l^xia) - 
Py (a)| = max;,^_{o,i} |Pr {f{X) = 1} - Pr {/(Y) = 1} |. 



PSc*(£): VPAiePiM), 

ymeM, diPc\M{-\rn),Pci-)) <e 
PScA/(e): VPm e r{M), 

d{PcM{-\-),Pc{-)PM{-))<£ □ 

As shown above, PS*a/(0), PSc*(0) and PSca/(0) are 
equivalent to (2)-(4), respectively, and they are all equivalent. 
In this paper, we are interested in relations among these 
security notions when e is positive and sufficiently small. The 
main results of this paper are summarized as follows: 

• PS*A/(ff) is the strongest among three security notions in 
Definition 2, which reflects the observation that PS*a/(£) 
is the most straightforward extension of (2) in Definition 
1. 

• Two security notions in Definition 2 except for PS*a/(£) 
are equivalent to each other, and they are essentially 
equivalent to the statistical versions of indistinguishability 
and semantic security which will be introduced later As a 
result, it is clarified that indistinguishability and semantic 
security are weaker security notions even if they are 
formulated in information theoretically secure setting. 

III. Perfect Secrecy and Indistinguishability 

We reformulate the security notion of indistinguishability 
denoted by IND(e) which is suitable for information theoret- 
ically secure setting. Then, we discuss the relation between 
IND(e) and three notions of perfect secrecy presented in 
Definition 2. 

It is easy to see that (3) is also represented as Vino, Vmi G 
M, Vc G C, Pc\M{c\mo) = Pc\M{c\miY, which is equiva- 
lent to 

Vmo,Vmi G M, d(Pc|A/Oo), Pc|Af Oi)) = 0. (5) 

Note that (5) implies that cryptograms corresponding to ar- 
bitrarily chosen messages mo and mi cannot be statistically 
distinguished. 

We now relax the condition given by (5) using a real number 
e G [0, 1] such that 

Vmo,Vmi G M, rf(Pc|A/( Vo), -fc|A/(-|"ii)) < (6) 

According to the definition of variational distance, 
d{Px, Py) < £ can be rewritten as 

V/:^^{0,1}, |Pr{/(X) = l}-Pr{/(y) = l}| <£(7) 
and hence, (6) is equivalent to 

Vmo G M, Vmi G 7W, -.C^ {0, 1}, 
|Pr{/(C) = 1 I M = mo} - Pr {/(C) = 1\M - mj | 

<£. (8) 

Note that, (8) is the definiton of computational indistin- 
guishability if the function / is restricted to the family of 
functions which can be computed in polynomial time [7,8]. 

^According to (1) and Theorem 1, perfect secrecy equivalent to Vmo € A4, 
Vmi e M, \/c e C, Pr{Enc(mo, A") = c} = Pr {Enc(mi , i^) = c}, 
which appears in [6, Proposition 9.3-7.]. 



Hence, we introduce a security notion of statistical indistin- 
guishability based on (8) as follows. 

Definition 3: For a real number e G [0,1], we say 
that a symmetric key cryptosystem S is statistically e- 
indistinguishable (IND(e)-secure, for short) if S satisfies (6) 
(and also (8)). □ 

Remark 1: Statistical indistinguishability introduced by 
Dodis-Smith [4] looks different from Definition 3, but it is 
easy to show that they are essentially the same. □ 

In the following, we clarify the relation among security 
notions in Definitions 2 and 3. 

Theorem 2: For an arbitrary e g [0,1], a symmetric key 
cryptosystem E is PSc* (e)-secure iff E is IND(e)-secure. □ 
Proof of Theorem 2: Observe for every m E M. that 

d{Pc\M{-\TTi).Pc{-)) 
1 



cec 

cGC 



Pc\M{c\m)- J2 Pc\Mic\m')PMim') 

Puim') {Pc\M{c\m) ~ Pc\M{c\m')] 

m'eM 



(9) 



First, we show that S is PSc*(£)-secure if E is IND(e)- 
secure. In this case, we assume that Vm,Vm' G Ai, 
d{Pc\M{-\m), Pc\m{'\''tT'')) ^ hence, from (9) we have 

d{Pc\M{-\m),Pc{-)) 
1 
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^A/(™')E \Pc\i\i{c\ni) - Pc\M(c\m')\ 

cec 



PM{m')d{Pc\M{-\m),Pc\M{-\m')) 
PM{m')e 



(10) 



and hence E is PSc*(£)-secure. 

We prove the converse. Suppose that E is PSc*(e)-secure. 
Substitute both in = mo and 



into (9). Then, we obtain 



dcf 



1, if m' = mi 
0, otherwise 



(11) 



diPc\M{-\mo),Pci-)) ^ d{Pc\M{-\mo),PciM{-\mi)) 

<e. (12) 

Hence, E is IND(e)-secure if it is PSc*(e)-secure. □ 
The next theorem implies an equivalence between IND(e) 
and PScA/(e)- 

Theorem 3: For an arbitrary e G [0,1], a symmetric key 
cryptosystem E is PScM(£)-secure if E is IND(e)-secure. 
Conversely, if S is PScM(£)-secure, it is IND(2£)-secure. □ 

Proof of Theorem 3: This proof is essentially the same with 
Theorem 2. Observe that d{PcM , PcPm) can be calculated 



as follows: 

d{PcM{-r),Pci-)PM{-)) 

= ^E E \PcM{c,m) - Pcic)PM{m)\ 



cec meM 

^EE 

cec meM 



2^ ^ 

cec meM 



PM{m)\Pc\M{c\m) - Pc{c) 



PM{m) 



E 

m'eM 



PM{m') {Pc\Mic\m) - Pc\Mic\m')} 



(13) 



We show that E is PScA/(£)-secure if E is IND(£)-secure. 
In this case, we have from (13) that 

diPcMi;-),Pc{-)PM{-)) 

< PMim)PM{m')d{Pc\Mi-\m),Pc\M(.-\m')) 



< £ 



(14) 



PA/(m) 



mi 



(15) 



if Vm,Vm' G M,d{Pc\M{-\rn),Pc\M{-\'m')) < e. Hence, if 
E is IND(e)-secure, it is also PScA'/(£)-secure. 

Then, suppose that E is PSc'A/(e)-secure. Then, substitut- 
ing 

1/2, if m = mo or m 
0, otherwise 

into (13), it follows that 

d{PcM,PcPM) = ld{PciM{-\mo),Pc\M{-\mi)) < e. (16) 

Hence, E is IND(2e)-secure if it is PScA/(£)-secure. □ 
We have proved that PSc*(£), PSca/(£), and IND(e) are 
the same security notions. On the other hand, in section V, 
we show an example that PS,a/(£) is stronger security notion 
than the others in the case of e > 0. 

IV. Perfect Secrecy and Semantic Security 

We consider the relation between perfect secrecy and se- 
mantic security in information theoretically secure setting. 
Here, IND(e) also plays a crucial role. 

Definition 4 (Statistical semantic security, [3]): For every 
real number e G [0, 1] we say that a symmetric key cryptosys- 
tem E = (PxiEnc, Dec) is statistically e-semantic secure 
(SS(£)-secure, for short) if, for an arbitrary distribution of 
a message Pj^j G V{Ai) and for an arbitrary map f : C ^ 
{0, 1}, there exists a random variable Gf that depends on / but 
is independent of M, so that for every map h : M {0, 1}, 
it holds that 

|Pr{/(C) = h{M)} - Pr {Gf = h{M)}\ < e. (17) 

□ 

Intuitively, Definition 4 implies that a cryptogram C is 
almost useless to obtain any one bit information of a message 
M, since (17) implies that, in order to guess one bit informa- 
tion h{M) of a message M, there is no difference between 



by using a cryptogram C and a map /, and by using / only 
with a random coin. 

Remark 2: In [3], (t, £)-entropic security is defined if a 
symmetric key cryptosystem S satisfies Definition 4 for every 
message with min-entropy t, and it is shown that the key 
length is reduced to n — t + ^(logrt) bits for (i, n^"'^^)- 
entropic security^. Hence, Definition 4 coincides with (0,£)- 
entropic security. Furthermore, it is pointed out in [3] that 
(0, 0)-entropic security is equivalent to PS in Definition 1. □ 

We are interested in the relation between PS introduced in 
Definition 2, and statistical semantic security SS(e) when e > 
0. To see this, we show the following relation between IND(£) 
and SS(£). 

Theorem 4: For arbitrary e € [0,1], if a symmetric key 
cryptosystem S is IND(£)-secure, then S is also SS(£)-secure. 
Conversely, if S is SS(£)-secure, then it is also IND(4£)- 
secure. □ 

Proof of Theorem 4: First, we prove that E is SS(£)-secure 
if E is IND(£)-secure. This proof is essentially the same 
with the proof appeared in [8] under computationally secure 
setting. Let M* be a random variable of a message which 
is independent of the legitimate message M. Then, assume 
that the random variable G/ is generated by Pc\Ai{c\m) and 

M*, i.e., we define that G/ /(G*) where Pcic) =^ 
J2rni Pc\Mic\mi)PM-imi) for c £ C and m G M. 

Let us define an indicator function 1/ ft, : C x — > {0, 1} 
for maps / and h such that 



(18) 



I/,,(c,m)-| otherwise. 
Then, the left hand side of (17) can be evaluated as 

\Pr {f{C)^h{M)}-Pr{Gf^hiM)}\ 
|Pr{/(G) = h{M)} - Pr{/(G*) = h{M)}\ 

^ lf,h{c, mo) {Pcm{c, mo) - Pc*m{c, mo)} 



^ lf,h{c, mo)PM{mo) {Pc\M{c\mo) - Pc*{c)} 

c,mo 

^ PM{mo)PM-{mi) 
>^Y^f,hiCi'mo){Pc\M{c\mo) - Pc\M{c\mi)} 

C 

^A/(mo)PM-(mi)x|pr{/ft.,,„„(G) = 1|M = m^} 

It, rn ^ ^ 



Pr{A,™o(G) = l|A/ = mi} 



(19) 



where fh,mo ■ C {0,1} is defined by fh.moic) = 1 iff 
I/_/, (c, m) ^ 1. Then, due to the definition of IND(£) given 



by (5), it is easy to see that (19) can be bounded from above 

by E,„o,rnie>( PM{mo)PM' [mi) • £ = £. 

Conversely, we show that E is IND(4£)-secure if E is 
SS(£)-secure. Assuming that a symmetric key cryptosystem 
E is SS(£)-secure, there exist an arbitrary / : C — !> {0, 1} and 
a random variable G/ that depends on / but is independent 
of A/, and (17) holds for an arbitrary ft. : X ^ {0, 1}. 

Now, letting /i be a map that always outputs 1 for every 
TO e A^, it holds for arbitrary / : C ^ {0, 1} that 

|Pr{/(G) = l}-Pr{G/ = l}| <£ (20) 
which is equivalent to 

|Pr{/(G)=0}-Pr{G/ = 0}| <£. (21) 
Hence, for ^ e {0, 1}, it holds that 

Pr{/(G)=£}>Pr{G/=n-e (22) 
Multiplying both sides by Pr {h{M) = £} > 0, we have 

Pr{f{C)^(]Pr{h{M)=(] 

>{Pr{Gf=l]-e)Pr{h{M)=t}, (23) 

and hence, it follows that 

Y Pr{f{C)=i}Pr{h{M)^l] 

£6(0,1} 

> iyr{Gf=(]-e)Pr{h{M)=t} 
££{0,1} 

> Pr{G/ = -£. (24) 
From (17) we obtain 

Pr{f{C)^h{M)}- Y Pr{f{C)=i}Pr{h{M)=£} 

££{0,1} 

< Pr {/(G) = h{M)} - Pr {Gj = h{M)} + e 

< 2£. (25) 

Similarly, by evaluating the upper bound of Pr{/(G) = i}, 
i e {0, 1}, we have 



Pr{/(G)-M^/)} 

- Y Pr{f{C)=i}Pr{h{M)=e} <2e (26) 

££{0,1} 



Applying Lemma 1 in Appendix B to this inequality^, it holds 
that 



Pr{f{C) = h{M) = l} 

-Pr{/(G) = l}Pr{ft(A/) = l} 



<e. (27) 



6/ = uj{g) ^\/t> 0, 3no,Vn > no, g{n) < ef{n). 



'Let X and Y in Lemma 1 be f{C) and h{M), respectively. 



Since Pm e V{AA) is arbitrary, we set Pm in the same way 
as (15) for arbitrarily fixed mo, mi e Ai, and let h{m) = 
SmoiiT^) which is defined by (11). Then, (27) becomes 



TABLE I 

PxY AND ITS MARGINALS 



Pr{M = mo} 



Pr{/(C) = 1 I A/ = mo} 



- J2 Pr{f{C) M = 77ie}Pr{M ^mi} 
ee{o,i} 
1 



4 

< e. 



Pr{/(C) = 1 I A/ = mo} - Pr{/(C) ^ I \ M ^ m^} 

(28) 



Therefore, rf(Pc|M('|™o): -Pcu/(-|™i)) < 4e is established 



for every mg, mi S A^. 



□ 



V. A Gap between Perfect Secrecy and 
Indistinguishability, Semantic Security 

We show an exmaple of a symmetric key cryptosystem 
S that is IND(e)-secure (and hence, it is also PSc*(e)- 
and PSc'A/(e)-secure) with arbitrarily small e > 0, while 
it is PS*M(e')^secure with e' > 1/2. This fact means that 
PSh.m(£) is stronger than the other security notions. We note 
that PS,A/(e) is a straightforward extension of Shannon's 
perfect secrecy given by (2) in Definition 1. 

Example 1: For an arbitrary even integer n, define C = 
{ci, C2, . . . , c„} and A4 = {mi, TO2, ■ • ■ , "t.„}. Then, consider 
the following nxri probability transition matrix corresponding 
to Pc\M such that 



■ C\M 



equal to Pc\J^J{ci\mj). From Theorem 1, note that there exists 
a symmetric key cryptosystem Sex corresponding to (29) since 
it is doubly stochastic. 

It is easy to check that d(-Pc|M("l'^i)i ^c|A/('|'7ij)) is equal 
to or 26 (= e) for each mi,mj G A4. Hence, Pc|a/ realizes 
a IND(e)-secure symmetric key cryptosystem (and hence, it 
is also PSc*(£)-, and PScA/(£)-secure). 

On the other hand, for uniformly distributed messages, 
i.e., Pmimi) ~ Vm^ G A4, it is easy to see that 

the the transition probability matrix Fm^c corresponding to 
a family of posteriori conditional probability distributions 
{PM\c{n^\c)}c£C.vieM corresponds to the transposed matrix 



of: 



"C|Af- 



Hence, in this case 



diPM\ci-\c),PM{-)) 



nS/2, 
0, 



if c = ci or C2 
otherwise 



x\y 


1 







a b 


a + b 


1 


c d 


c + d 


PY(y) 


a + c b + d 


1 





' + d 




S 


••• n"i + 


S n-^-S' 




[2] 




- S 


+ 


S 


••• n-i- 


S n^^+S 


















(29) 


[3] 












n^^ 












[4] 


where S ~ e/2 G (0, n' 




and the 


) element of I 


V|A/ is 





(30) 



which implies that Sex is PS*A/(e')~secure with^ e' > n5/2. 
In particular, e' > 1/2 for every n if e = 2/n (= 25) which 
can be arbitrarily small for sufficiently large n. □ 

In this example, the symmetric key cryptosystem Sox given 
by (29) violates d{PM\c{-\c), Pm{-)) < e with the negligibly 
small probability Pr {C = ci V C = C2} = 2/?! if Pm is 
uniform and n is sufficiently large, although it is required 
by PS*A/(£)-security to satisfy d{PM\ci-\c), Pm{-)) < £ for 
every c E C. On the other hand. Sex is still considered to be 
secure under the other security notions since they focus on 
the probability distribution of C and the probability that such 
insecure cryptograms are output is negligible. 

Acknowledgement 

The authors would like to thank Prof. Hideki Imai in Chuo 
University, Prof. Ryutaroh Matsumoto in Tokyo Institute of 
Technology, and Mr. Yusuke Sakai in University of Electro- 
Communications for their helpful comments. The work of the 
first author, M. Iwamoto is partially supported by the MEXT 
Grant-in-Aid for Young Scientists (B) No. 20760236. 

References 

[1] C. E. Shannon, "Communication theory of secrecy systems," Bell Tech. 
J., vol. 28, pp. 656-715, Oct. 1949. 

G. S. Vemam, "Cipher printing telegraph systems for secret wire and 
radio telegraphic communications," / of American Institute for Electrical 
Engineering, vol. 45, pp. 109-115, 1926. 

A. Russell and H. Wang, "How to foil an unbounded adversary with 
a short key," IEEE Trans. Information Theory, pp. 1330-1140, 2006. 
Preliminary version: EUROCRYPT 2002, LNCS 2332, Spiinger-Veriag, 
pp. 133-148, 2002. 

Y. Dodis and A. Smith, "Entropic security and the encryption of 
high entropy messages," TCC 2005, pp. 556-577, 
version: lACR Cryptology ePrint Archive, report 
http : //eprint . iacr . org/2 004/219/. 
[5] H. Krawczyk, "LFSR-based hashing and authentication,' 
Cr\-ptologY-CRYPT0'94, LNCS 839, Springer- Veiiag, 
1994. 

[6] H. Delfs and H. Knebel, Introduction to Cryptography, Principles and 
Applications. Information Security and Cryptography Texts and Mono- 
graphs, Springer- Verlag, second ed., 2001. 

[7] S. Goldwasser and S. Micali, "Probabilistic encryption," Journal of 
Computer and System Sciences, vol. 28, no. 2, pp. 270-299, 1984. 

[8] O. Goldreich, Foundations of Cryptography Volume I Basic Tools. 
Springer- Verlag, 2001. 

Appendix 

A. Proof of Theorem 1 

Observe that a random variable C of a cryptogram is ob- 
tained by C = Enc(A/, A'), where M and K are independent 

*Note that A/|c('k)i -Pc(')) ^ ^ holds for every P]\{ to ensure 
PS,A/(e)-secure cryptosystems. 
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random variables of a message and a key, respectively, and 
Enc : x/C — !> C is a deterministic map of encryption. Hence, 
the joint probability distribution PcM{c,m) of a cryptogram 
and a message can be represented as 

PcM[c,m) = Pr{C = c,M = m} 

= Pr {Enc(A/, K) ^c,M = m} 

= ^ PMKim,k) 

k:Enc{m.k)—c 

k:Enc{m,k)—c 

= P^MPr {Enc(m, K) = c} , (31) 

where the marked equality holds since M and K are indepen- 
dent. Hence, we have (1). 

In what follows, we consider the case of \A4\ = \C\. In this 
case, if G /C is fixed, there exists a bijection tt^ : A4 ^ 
C since every cryptogram c G C can be uniquely decrypted 
by fc e /C. Hence, for each k £ IC, let Hfe e {0,1}"^" be 
a permutation matrix which corresponds to the bijection ttj.. 
Then, it is easy to see that the probability transition matrix 
induced by Enc and K can be represented as 

Pc|A/ = 5I^A-Wnfc, (32) 

fcG/C 

which is doubly stochastic. Conversely, due to Birkoff-von 
Neumann Theorem, there exists a pair of Pxik) and Ilfc, k G 
K., satisfying (32) if Fc\m is doubly stochastic. □ 

B. Lemma in Proof of Theorem 4 

In proof of Theorem 4, we use the following lemma: 
Lemma 1: For two binary random variables X and Y over 

a set {0, 1}, and for e G [0, 1], the following two inequalities 

are equivalent: 



Pr{X = Y}- Pr{X ^ l}Pr{Y = 1} 

^£{0.1} 



<e (33) 



Pr{X = Y = £} - Pr{X ^ £} Pr {Y = £} 

e G {0, 1} (34) 



e 

< -, 
- 2' 



□ 

We show that (33) (34) since (34) (33) is obvious. 
Letting PxY{x,y), x,y G {0,1} be a joint probability 
distribution of X and Y given by TABLE I, (33) is equivalent 
to 

\a + d- {a + b){a + c) - (c + d){b + d)\ <e. (35) 

Since it holds that a + b + c + d = 1, (35) becomes \ad — bc\ < 
e/2. Furthermore, using a + b + c + d~ 1 again, we have 

\Pxy{0,0) - Px{0)Py{0)\ = \a-{a + b){a + c)\ < | (36) 

\Pxy{1,1)-Px{1)Py{1)\ = \d - {c + d){b + d)\ < I (37) 

which implies (33). □ 
Remark 3: Note that (33) (34) does not generally hold 
if X and Y are not binary random variables. □ 



